Employees are using their own devices in the work place and asking to connect them to the company network. We look at the risks and implementation details of BYOD from a legal perspective in 2016.
Lake City 4 The Problem There is greater focus… …but, still poor results. 55% of Audit Committees think more agenda time should be devoted to cybersecurity 88% of Boards say that their strategic risk register includes a cybersecurity risk category TOP CONCERNS FOR AUDIT COMMITTEES 1. Gov., Processes, Controls and Risk 2. Management 3. IT Risk and Emerging Technologies 4. Uncertainty 5. Information Privacy/Security/Cyber Average # of exposed or compromised records in US data breach FTSE 350 Cyber Governance Health Check HM Government (U.K.) Reported losses ($US Billions) by US companies from unauthorized use of computers by employees in 2014. Average Cost ($US Millions) of an organizational data breach “Is Governance Keeping Pace?” KPMG 2015 Data Breach Industry Forecast Experian 2015 Cost of a Data Breach Study: Global Analysis IBM – Ponemon Institute U.S. Dept. of Health and Human Services 29,087 $6.53 $40 2015 Global Audit Committee Survey KPMG’s Audit Committee Institute
Lake City 5 BYOD • According to Forrest Research, 48% of employees will buy their own device – whether their organization approves or not. • 50% of US Employers Will Stop Providing Devices in 2017 • Employees are using their own devices in the work place and asking to connect them to the company network – this trend is known as Bring Your Own Device (BYOD). Pepper Hamilton – BYOD – Liability and Data Breach Sold Separately - 2013
Lake City 6 State of the BYOD • 63% of employees use mobile devices to access workplace data, including sensitive regulated data. • •Despite the risk, 67% of organizations have no special policy in place to monitor employees with access to regulated data. • •Only 52% of mobile devices with access to regulated data have adequate security. Pepper Hamilton – BYOD – Liability and Data Breach Sold Separately - 2013
Lake City 7 Benefits of BYOD • Company Avoids Owning Hardware and Ongoing Contracts • User Gets a Choice • Productivity/Reactivity • Equipment Goes With Employee – Company Data is Wiped Upon Departure
Lake City 8 Challenges of BYOD • Security is Difficult to Control With User Devices • Work-Life Balance • Policies are Lagging Behind Reality • Discovery Boundaries • Privacy Boundaries
Lake City 13 Steps to BYOD Risk Analysis (and Implementation) 1. Define the Data Access and the Risk Associated with Each Data Access 2. Refine Confidentiality for Each Data Access 3. Look for Balance of Data Security with Right to Privacy 4. Review Ownership and Cost Issues 5. Enable Meshing With Other Policies 6. Prepare Training and Buy-In
Lake City 15 Who Is Eligible for Data Access? • Careful of Hourly – Blurs The Overtime Line (Personal and Business on One Device) • Usually by Job Function • Where Do You Draw the Trust Line?
Lake City 16 Define the Data Access • What Data Do They Want? • What Data Can They Access? • Is it a Need? • What is the Productivity Gain? • What is the Risk of Loss? • What Data Can We Secure? • What Data Can We Partition?
Lake City 17 Example: Email • Want/Need • Exchange Email Data Can be Remotely Managed • Productivity Gain: Large • Risk of Loss: Breach Notification Laws • Email Data Can be Encrypted • Mobile Device Manager Can Enforce Partition and Security
Lake City 18 Example: Text Messaging • Want • Cannot Be Managed for iPhone (but can for Android/Blackberry) • Productivity Gain: Marginal • Risk of Loss: Breach Notification • Can Be Encrypted – Not in Transit • Cannot Be Partitioned Well (All or Nothing) • Alternate: Corporate IM Applications
Lake City 19 Data to Consider in BYOD Corporate Intellectual Property, Research, Development, Merger, Acquisitions, Divestiture, Trade secrets Customer Patient, Benefits, Financial, Health Employee Third Party Data Category A critical organizational need is to identify what data is sensitive and critical to each stakeholder in the information lifecycle. This categorization of data helps drive a risk-based agenda and meaningful investment. Attorney-Client Human Resources, Payroll, Health, Benefits, Performance Reviews Commercial Agreements, Rate Cards, Hosted Data, Managed Data Lawsuit, Arbitration, Privileged Communications
Lake City 21 Defining Confidentiality • Is the Data Access “Need to Know” • What Laws are Triggered by Employee Access and/or Processing of the Data? • What Reporting Procedures are Needed? • What are Unintended Consequences of Remote Wipe? • Synergy with Document Retention/Destruction • Actually Implementable (Waiver of Safe-Harbor Defenses)
Lake City 22 Example: Email • Need to Know – Yes • Potential Laws – Europe, HIPAA, SEC, Sarbanes-Oxley • Reporting – European Data Protection Comm., SEC, HIPAA, Data Breach Notif. • Remote Wipe – Health, Pictures, Notes • Retention/Destruction – Same as Desktop • Implementable – Same as Desktop
Lake City 24 Employer Security vs. Employee Privacy • Clumsy Handling of Employee Devices – Embarrassment and/or Potential Claims • Define What Is Monitored and/or Accessed – Demonstrate Unambiguous Consent • Train on the Management Software – Understands Use -> Informed Consent – Informed of Right to Revoke Consent and Consequences
Lake City 26 What Is and Is Not Covered • Clearly Define Incentives – Funding Data Plans, Insurance, Subsidizing Price • Clearly Define Company Non-Liability for What Employee Does With Device • Define Difference Between Personal and Business Use of Device and Payment • Tax Advice for Benefit in Kind
Lake City 27 Anticipate the Life Cycle • Procedures for Loss – When to Report (Hours/Days) • Sale of Device – Demand Device for Scrub Before Sale • Procedures for Termination – Right to Buy Device • Retiring a Device – Scrub Device Before Retirement • Repair
Lake City 28 Anticipate the Use • Who Can be Given the Passcode? – Wife, Kids, Which Repair Shop, IT, Nobody • Who Can Use the Device? – Electronic Babysitter • Mixed Use – Confidential Photos on Shared Photostream • Backups – Where Allowed, When Destruction
Lake City 30 Integrate with Other Policies • Establish the Standard-of-Care - Together • Same Retention Periods • Same Destruction Procedures • Litigation Holds • Information Security • Acceptable Internet Use • Social Media • Harassment/Discrimination
Lake City 32 Inform, Teach, Consent, Enforce • Provide Copy of Policy • Receive Training on Policy • Sign Express Authorizations for: – Monitoring – Remote Wipe – Disable • Clear, Written and Enforced!
Lake City 34 Employee Risks • Theft by Employee is Easier • Decreased Security – Which Thumbprints Authorized (Roommate) • Hacking – Applications Installed by Employees – Visiting Out of Country • Adverse Party With Device • Illegal Behavior: Driving, Illicit Materials
Lake City 35 Discovery • Sequestering Personal vs. Company Data • Surrender of Personal Data • Imaging Without Personal Data • Obtaining Physical Access to Device • It Appears that Policies Govern Employee’s Right to Privacy to the Extent They are Enforced – For Employer Provided Device (Likely Same for BYOD) Quon v. City of Ontario (560 US 746 (2010)
Lake City 36 Hacking • Failure to Adhere to Minimum Standards – Not Adequately Secure Data • Leakage of Data by Virus or App (Check- In) • Jailbroken Phones
Lake City 38 Consider These Definitions: • Acceptable Use • Purposes of Device and Data for Business • Allowable Technologies (Jailbreak!) • Network Access • Restrictions
Lake City 39 Consider These Terms: • Security Measures • When Monitoring and Procedures for it • Ownership of Device • Contract Responsibility • Data Responsibility • Ownership of Business Software on Device • Termination Procedures Relating to Device • Disciplinary Action for Violation
Lake City 42 From Policy to Device Mobile Device (Accountability on User) Managed by User Unknown / Partial App Set Mobile Device Manager (Reduce Management Overhead) Minimum Requirements and Opt-In Rules Management Permissions Information Security Policy Policy and Standard Mobile Device Policy
Lake City 43 References • For an IT Perspective: – CSX: Securing Mobile Devices, ISACA, 2012 • For Policy Language: – Fedeles, Sherer, Selby - Bloomberg BNA: Privacy & Data Security Law Resource Center – BYOD Policies, 2016 • For an Employment Perspective: – Klein, Diamond, Kagan, BYOD (Bring Your Own Device)…Liability and Data Breach Sold Separately, Pepper Hamilton LLP, 2013 • For a Litigation Perspective: – Hinkes, BYOD Policies: A Litigation Perspective, American Bar Association, 2014 • For a Pessimistic Overview of the Legal Landscape – Avoiding BYOD Legal Issues, Route1 Inc., Sept. 2013 • For a Fit of the BYOD in With Other IT Trends – Rainbow, IT Trends and Future Considerations, Moss Adams LLP, (Date Unknown)
benholt
takusamar
o2mami
nextfield
umzws
findyinc
nyattx
alexanderbyndyu
ar_tama
wakayamaguchi
hrbrain
trinitytechnology
sachag
jcasabona
lauravandoore
sonatard
3n
shpigford
maggiecrowley
productmarketing
mraible
swwweet
kevinliebholz
lara
